Fighting DDOS attacks with pf
Kevin Wilcox
kevin.wilcox at gmail.com
Mon Aug 20 16:07:36 UTC 2012
On Mon, Aug 20, 2012 at 11:53 AM, J David <j.david.lists at gmail.com> wrote:
> However, the nature of a DDOS attack is that there is not a single
> source IP. The source IP is either outright forged or one of a large
> number of compromised attacking hosts. So what I really want to do is
> have a "max-dst-states" rule that would at least temporarily blackhole
> an IP being attacked, but there's no such thing.
Rather than block on the number of states, take a look at dropping
based on the number of connections over some time delta.
Specifically, max-src-conn and max-src-conn-rate.
kmw
More information about the freebsd-pf
mailing list